Dynamically provisioning middleboxes

Abstract

Hybrid security architecture (HSA) provides a platform for middlebox traversal in the network. The HSA decouples the middlebox control from network forwarding. More specifically, such embodiments may receive a data packet having a packet header including an Ethernet header identifying source and destination addresses in the network. A traffic type of the data packet is determined. Then, layer-2 forwarding information, which encodes a set of non-forwarding network service provider middleboxes in the network to be traversed by the data packet, is determined based on the traffic type. The layer-2 forwarding information is inserted into the Ethernet header and the data packet is forwarded into the network. The data packet will then traverse, according to the layer-2 forwarding information, a sequence of the middleboxes in the network, wherein at least one non-forwarding network service will be provided by each of the middleboxes to the data packet in a sequence.

Description

§1. BACKGROUND OF THE INVENTION[0001]§1.1 Field of the Invention[0002]The present invention concerns middlebox traversal in a network such as a data center network. More specifically, the present invention concerns dynamic provisioning of middleboxes.[0003]§1.2 Background Information[0004]Data Center Networks (DCNs) are used to host an increasing variety of applications and services, and are growing to tens of thousands of machines. Middleboxes are used to provide services such as traffic monitoring, traffic engineering, traffic policing, network and system security enforcements, etc., in DCNs. Together with the booming market of cloud computing, there is a need for high performance, highly scalable and dynamic middlebox provisioning. While recent advances in DCN architecture address many issues such as scalability, latency, etc., a truly dynamic yet network-forwarding independent middlebox traversal platform does not yet exist.[0005]Middlebox traversal is an important part of the D...

AI Technical Summary

Benefits of technology

[0022]Exemplary embodiments consistent with the present invention may provision middleboxes in a network dynamically. Such exemplary embodiments may do so by (i) receiving, by an agent, a data packet having a payload and a packet header including an Ethernet header identifying a source address and a destination address in the network; (ii) determining, with the agent and using at least one of the packet header and the payload, a traffic type of the data packet; (iii) selecting, with the agent and based on the traffic type determined, layer-2 forwarding information which encodes a set of one or more non-forwarding network service provider middleboxes in the network to be traversed by the data packet; (iv) inserting, with the agent, the layer-2 forwarding information into the Ethernet header to generate a modified Ethernet header; and (v) forwarding, with the agent and using the layer-2 forwarding information, the data packet having the modified Ethernet header to the network, such that the data packet will then traverse one or more middleboxes, wherein a non-forwarding network service will be provided by each of the one or more middleboxes on the data packet in a sequence.

[0023]In at least some exemplary embodiments consistent with the present invention, the agent receives the data packet from a source host in the network and the act of receiving the data packet from the source host includes (i) requesting, with the source host and using a unicast Address Resolution Protocol (ARP), from an ARP server in the network, a media access control (MAC) address of a destination host to which the data packet is directed in the network, (ii) sending, with the ARP server and responsive to the request, a MAC address of the agent to the source host, (iii) updating, with the source host, the destination address in the Ethernet header of the data packet to the MAC address of the agent, and (iv) forwarding, with the source host, the data packet to the agent.

[0024]In at least some exemplary embodiments consistent with the present invention, performing the non-forwarding network service provided by each of the one or more middleboxes on the data packet in a sequence includes (i) obtaining, using the layer-2 forwarding information, a MAC address of next one of the one or more middleboxes in the sequence to be traversed, (ii) updating the destination address in the modified Ethernet header of the data packet to the MAC address of the next one of the one or more middleboxes to be traversed to generate an update modified Ethernet header, and (iii) forwarding the data packet, using the destination address in the updated modified Ethernet header, to the next one of the one or more middleboxes in the sequence to perform the non-forwarding network service provided by the next one of the one or more middleboxes.

[0025]In at least some exemplary embodiments consistent with the present invention, performing the non-forwarding network service provided by each of the one or more middleboxes on the data packet in a sequence further includes (i) determining if a current middlebox is a last middlebox in the sequence to be traversed, (ii) responsive to a determination that the current middlebox is the last middlebox in the sequence, obtaining a MAC address of a destination host to which the data packet is to be transmitted, (iii) updating the destination address of the modified Ethernet header to the MAC address of the destination host, (iv) removing the layer-2 forwarding information from the modified Ethernet header to obtain original Ethernet header, and (v) forwarding the data packet including the original Ethernet header to the destination host.

Problems solved by technology

The increasing variety in DCN designs and host applications, however, make correct, scalable, flexible and resource efficient middlebox traversal a challenge.

It may be a challenge to scale up the middlebox system to keep up with the growth.

Middleboxes at perimeters, or any small number of clusters, may experience a bottleneck as traffic converges at them.

The heavy reliance on custom configured network forwarding to provide middlebox traversal has serious drawbacks.

Routing and forwarding configuration alone is already complex.

Adding security may make the configuration even more error prone.

Clusters of hardware lack the flexibility to respond and have a natural bottleneck of network scalability.

Unfortunately, however, specialized switches are needed.

Middleboxes deployment may still be partially limited to clusters of deployments at locations that have P-switches deployed.

Unless wide-spread deployment of P-switches is realized, the full flexibility of deploying middleboxes anywhere in the network may not be achieved.

However, inter-VM traffic on the same machine may not be protected unless network forwarding tricks like VLAN separation is used.

The fact that specialized switches are required may also be undesirable.

For example, configuration and changes in routing, load balancing, traffic engineering in network forwarding typically causes reconfiguration of the middlebox traversal system, and vice versa.

However, a traditional centralized perimeter for security enforcement works against this design principle.

If the web service goes public and becomes well publicized, a sudden surge of traffic may demand additional firewall and DPI capacity.

Unfortunately, the churn in the traffic loads has to be responded by enormous over-provisioning for a highly unpredictable demand, given the nature of cloud paradigm.

Operational costs for human intervention are very expensive.

With the scale of data center that may exceed tens of thousand of servers, switches and middleboxes, daily equipment failures are typical.

Requiring manual operations to correctly and efficiently enforce middlebox traversal upon frequent and automated events may be either inefficient or impossible.

Images